Những kiến thức và kinh nghiệm sau khi đạt chứng chỉ CHFI: – Xác định quy trình điều tra tội phạm, bao gồm các giao thức tìm kiếm và thu giữ, lấy lệnh khám xét và các luật khác – Phân loại tội phạm, các loại bằng chứng kỹ thuật số, các quy tắc của chứng cứ và thực hành tốt nhất trong kiểm tra bằng chứng máy tính – Tiến hành và xây dựng tài liệu các cuộc phỏng vấn sơ bộ, bảo vệ đánh giá cảnh báo tội phạm máy tính – Dùng các công cụ điều tra liên quan thu thập và vận chuyển chứng cứ điện tử, và tội phạm mạng – Phục hồi file và phân vùng bị xóa trong môi trường điện toán phổ biến, bao gồm Windows, Linux, và Mac OS – Sử dụng công cụ truy cập dữ liệu Forensic Toolkit (FTK), Steganography, Steganalysis, và Forensics Image File – Phá vỡ mật khẩu, các loại hình tấn công mật khẩu, các công cụ và công nghệ để giải mã mật khẩu mới nhất – Xác định, theo dõi, phân tích và bảo vệ chống lại hệ thống mạng mới nhất, Email, Điện thoại di động, không dây và tấn công Web – Tìm ra và cung cấp bằng chứng chuyên môn hiệu quả trong các tội phạm mạng và các thủ tục pháp lý.
Mobile Forensics Module 13 Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Mobile Forensics Module 13 Designed by Cyber Crime Investigators Presented by Professionals Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator v9 Module 13: Mobile Forensics Exam 312-49 Module 13 Page 1263 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Module Objectives After successfully completing this module, you will be able to: Discuss about mobile device forensics and understand why it is needed Understand the role of mobile hardware and OS while conducting forensics on mobiles Illustrate the architectural layers of mobile device environment Illustrate Android architecture stack and demonstrate Android boot process Illustrate iOS architecture stack and demonstrate iOS boot process Determine the mobile storage and evidence locations Understand what you should before performing investigation Perform mobile forensics Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Mobile forensics is the science of recovering digital evidence from mobile devices under forensically sound conditions With the increase in the usage of mobile devices every day, there is growing importance of mobile forensics This module highlights the precautions that a forensic analyst must take when collection, preserving, and acquiring mobile devices such as smartphones, PDAs, digital cameras, Internet of Things, etc This module will familiarize you with the topics mentioned in the slide: Module 13 Page 1264 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Mobile Device Forensics Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions It includes recovery and analysis of data from mobile devices’ internal memory, SD cards and SIM cards Mobile forensics aims to trace the perpetrators of crimes that involve the use of mobile phones Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions It involves the examination and reporting of all possible sources of digital evidence in a forensically sound manner The investigator reports and presents the evidence in the court of law to prove the incident Mobile phone forensics includes extraction, recovery, and analysis of data from the internal memory, SD cards, and SIM cards of mobile devices Forensics experts analyze the phone by examining the incoming and outgoing text messages, pictures stored in the memory of the phone, call logs, email messages, SIM data, deleted data, etc., in an attempt to trace the perpetrators of crimes that involve the use of mobile phones Module 13 Page 1265 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Why Mobile Forensics? Using Mobiles for Money Transactions The Projected Growth of Mobile Use Mobile payment user 2020 2015 2016 384 Million 425 Million transactions $450 Billion transactions $620 Billion http://www statista.com Number of malwares targeting mobile devices tripled in 2015 in comparison with 2014 50% of transactions will be made via mobile Internet connections made via mobile devices 2015 52.7% http://www.three.co.uk Among all the malwares, ransomware malwares capable of obtaining unlimited rights on an infected device, and data stealers proved to be the most dangerous threat in 2015 2016 56.1% 2019 63.4% http://www.statista.com Approximately 94,344 unique users were attacked by mobile ransomware in 2015 in comparison with 18,478 users in 2014 2016 is likely to see an increase in the complexity of malwares and its modifications, with more geographies targeted http://www.kaspersky.com Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited With the increase in smart phone usage and mobile payments in recent years, the number of malware and ransomware has also increased, resulting in an increase in importance of mobile forensics According to statistica, users making payments through mobile devices have increased from 385 million in 2015 to 425 million in 2016; and transactions worth $620 billion have occurred in contrast to $450 billion in 2015 According to three.co.uk, 50% of the transactions will be made through mobiles by the year 2020 With the increase in mobile device usage, the number of internet connections made via mobiles has increased from 52.7% in 2015 to 56.1% in 2016 It is estimated to increase to 63.4% by the year 2019 The number of malwares targeting mobile devices tripled in 2015 in comparison to that in 2014 Approximately 94,344 unique users were attacked by mobile ransomware in 2015, in comparison to 18, 478 users in 2014 Among all the malwares, ransomwares - malwares capable of obtaining unlimited rights on an infected device and data stealers proved to be the most dangerous threats in 2015 Module 13 Page 1266 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 It is likely that 2016 will see an increase in the complexity of the malware and its modifications, with more geographies being targeted Sources: http://www.statista.com, http://www.three.co.uk, http://www.kaspersky.com Module 13 Page 1267 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Top Threats Targeting Mobile Devices Web- & Network-based Attacks Launched by malicious websites or compromised legitimate sites Attacking site exploits device’s browser Attempts to install malware or steal confidential data that flows through the browser Malware Includes traditional computer viruses, computer worms and Trojan horse programs Example: IKee worm targeted iOS-based devices Example: Pjapps enroll infected Android devices on the botnet Social Engineering Attacks Leverage social engineering to trick users Attempts to get users to disclose sensitive information or install malware Examples include phishing and targeted attacks Resource Abuse Attempt to misuse network, device or identity resources Example: Sending spam from compromised devices Example: Denial of Service attacks using computer resources of compromised devices Data Loss Employee or hacker exfiltrates sensitive information from device or network Can be unintentional or malicious Remains biggest threat to mobile devices Data Integrity Threats Attempts to corrupt or modify data The purpose is to disrupt operations of an enterprise or geared toward financial gain Can also occur unintentionally http://www.symantec.com Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited The following list describes the different types of threats targeting mobile devices: Web-based and network-based attacks: These attacks are commonly executed through malicious websites or compromised legitimate websites, which actually execute malicious code/program on a device’s browser and exploit it Web-based and network-based attacks attempt to install malware or steal confidential data flowing through the browser Malware is of the following types: Traditional computer virus: Comes into force after attaching to a legitimate host program Computer worms: Spreads from one device to another and tries to appear across the entire mobile network Trojan horse programs: Performs malicious actions upon satisfying certain conditions Social Engineering Attacks: The attacker entices the victim to share his/her sensitive information such as personal details, professional details, and credit card and banking details Some of the social engineering attacks are as follows: Phishing Baiting Pretexting Module 13 Page 1268 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Quid Pro Quo Tailgating Exam 312-49 Resource Abuse: Attackers aim at misusing mobile device resources (such as network, computing, or identity-related information stored on the mobile) for malicious purposes The two most common abuses include sending phishing mails and executing denial of service attacks from a set of compromised machines/botnets, using a command and control center Data Loss: Data loss occurs when unauthorized transfer of data occurs on a mobile device Such transfer may be induced unintentionally by a legitimate mobile user or illegally by an attacker who has remote access to the device Data loss is the biggest threat to mobile devices Data Integrity Threats: These threats attempt to modify or corrupt the data stored in mobile devices These attacks are aimed at disturbing normal enterprise functionality or for financial gain Data integrity threats may also occur unintentionally by natural forces such as random data corruption Source: http://www.symantec.com Module 13 Page 1269 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Mobile Hardware and Forensics Mobile device forensics is highly dependent on the underlying hardware of mobile devices Investigators need to take different approaches for mobile forensics depending upon the mobile hardware architecture Proprietary hardware of mobile devices makes forensics acquisition difficult Knowledge of mobile hardware also becomes essential in case of a broken or damaged device when it is not possible to access device using data ports Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited The common mobile hardware components include various elements such as application processor, baseband processor, digital signal processor, ADC, DAC, RAM, ROM, and RF The architecture and configuration of these hardware components may differ from device to device For example, an iPhone may have different hardware architecture than an Android mobile phone In such cases, challenges for mobile forensics investigators increase, as there is no standard hardware architecture for mobile phones Investigators need to apply different tools and techniques to conduct forensics investigation of such a variety of mobile phones Thus, a mobile forensics investigator should have sound knowledge of mobile hardware architectures on different mobile phones The investigator must identify and know the location of specific components of mobile phone hardware For example, he/she should know where the memory chip resides inside mobile phones, if he/she wants to conduct chip-off forensics Module 13 Page 1270 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Mobile OS and Forensics A mobile operating system determines the functions and features available on mobile devices, and manages the communication between the mobile device and other compatible devices This diversity in the mobile OS architecture may impact forensic analysis process Investigators require knowledge of underlying OS, architecture, and file systems of mobile device under investigation Knowledge of mobile OS booting process helps investigator to gain lower level access Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited A mobile operating system (OS) is software that enables mobile phones, tablet PCs, and other mobile devices to run applications and programs A mobile OS determines the functions and features available on mobile devices and manages the communication between the mobile device and other compatible devices There are several mobile OSs available in the market such as Google’s Android, RIM’s BlackBerry OS, Microsoft’s Windows Mobile, etc This proliferation of mobile OSs and models creates various challenges for mobile forensic experts Investigators require knowledge of underlying OS, architecture, and file systems of mobiles under investigation Knowledge of the mobile OS booting process helps investigators gain lower level access Module 13 Page 1271 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 SQLite Database Browsing Tools: Oxygen Forensics SQLite Viewer SQLite Viewer allows forensic investigators to explore the database files with the following extensions: sqlite, sqlite3, sqlitedb, db, and db3 http://www.oxygen-forensic.com Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited SQLite Viewer allows the investigator to explore the database files Investigators can access the actual and deleted data stored in databases created by the system and user applications SQLite Viewer for Oxygen Forensic Suite offers convenient analyzing of device data Features of SQLite viewer are as follows: Shows data in a convenient table view Presents blocks of deleted data examination Allows deleted data analysis Allows recovery of clusters of deleted records Permits data export to RTF, PDF, XML, XLS, СSV, TSV and HTML file formats Offers a built-in HEX viewer Carries a built-in search engine Can save big BLOB fields in a file Source: http://www.oxygen-forensic.com Module 13 Page 1359 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 SQLite Database Browsing Tools DB Browser for SQLite X-plore (http://sqlitebrowser.org) (http://www.lonelycatgames.com/?app= xplore) SQLitePlus Explorer SQLite Viewer (http://www.eztoolssoftware.com/Tools/sqliteplus/default.asp) (http://www.totalcmd.net/plugring/sqlitevie wer.html) Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited The following are some browsing tools offered by SQLite database that an investigator can use for exploring data from a SQLite database of mobile devices DB Browser for SQLite Source: http://sqlitebrowser.org DB Browser for SQLite is an open-source tool to create, design, and edit database files compatible with SQLite X-plore Source: http://www.lonelycatgames.com X-plore allows an investigator to look into the mobile device with complete access to it It provides dual-pane tree view, root access, disk map, cloud storage, and application manager SQLitePlus Explorer Source: http://www.eztools-software.com The SQLitePlus allows easy programmatic access to SQLite databases This COM DLL gives lightning-speed access to SQLite database files from Windows SQLite Viewer Source: http://www.totalcmd.net SQLite is not directly comparable to other SQL database engines such as Oracle, PostgreSQL, MySQL, or SQL Server since SQLite tries to solve very different problems related to mobile devices to extract files from mobile databases Module 13 Page 1360 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Android Forensic Analysis After logical, physical, and file system acquisition, forensic examination and analysis is carried out on the extracted data It involves finding out source of evidence from information obtained by extraction The forensics examiner should investigate: Mobile phone data artifacts such as contacts, call history, browser, SMS/MMS, and geolocation Raw data artifacts Timeline of activities https://www.oxygen-forensic.com Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited ViaExtract extensively supports forensic analysis on the data recovered from Android mobile devices This tool supports almost 46 different kinds of devices and covers almost all the manufacturers ViaExtract uses logical and physical data extraction methods to retrieve the data, and in case any failure occurs while extracting the lost data, the user can then use the file system acquisition technique to dive deeper into the mobile device to look for data ViaExtract can perform the following activities: Acquire: Prepare, unlock, and root the device Extract: Pick from multiple extractions available for the device Analyze: Browse and search through the results Reporting: Generate a detailed report either in HTML or in PDF format Source: https://www.nowsecure.com Module 13 Page 1361 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 iPhone Data Extraction Investigators can adopt three ways to extract iPhone data in order to analyze it forensically Create a physical memory image of the iPhone data using forensics tools such as Cellebrite, XRY, Lantern, Elcomsoft, MPE, Zdziarski, etc Create file System dump using forensics tools such as Cellebrite, Blacklight, Oxygen or XRY Creates iPhone backup using iCloud or iTunes Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited If an iPhone is seized at the crime scene and brought to the forensics workstation for forensic analysis, then extracting data from the iPhone requires a different approach, as well as different tools and techniques There are three types of techniques applied on iPhones for data extractions: Physical memory image: This creates the complete physical image of the data present in the iPhone The investigator can extract the data in the form of bit stream or a DMG image file using some of the tools such as Cellebrite XRY Lantern Elcomsoft MPE File system dump: The file system dump involves creating a partial physical memory image of the iPhone device It is a subset of the physical memory image The investigator can perform the file system dump using the following tools Cellebrite Blacklight Module 13 Page 1362 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Oxygen or XRY iPhone backup: Investigators can use the iPhone backup feature using iTunes or iCloud to perform a backup of the data stored on the iPhone Module 13 Page 1363 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 iPhone Data Acquisition Tools UFED Touch2 Lantern http://www.cellebrite.com http://katanaforensics.com Mobilyze Aceso http://www.blackbagtech.com http://www.radio-tactics.com SecureView Athena http://mobileforensics.susteen.com http://www.radio-tactics.com NowSecure Forensics Elcomsoft iOS Forensic Toolkit https://www.nowsecure.com/forensics https://www.elcomsoft.com/eift.html MOBILedit iXAM http://www.mobiledit.com http://www.ixam-forensics.com Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Investigators can use the following tools to perform logical data extraction on iPhone UFED Touch2 Source: http://www.cellebrite.com UFED Touch2 is a device used to perform physical, file system, password and logical extractions of evidentiary data Mobilyze Source: http://www.blackbagtech.com Mobilyze is a mobile data triage tool, designed to give users immediate access to data from iOS and Android devices SecureView Source: http://mobileforensics.susteen.com Secure View is a forensic data recovery tool It also helps with forensic investigations and forensic analysis NowSecure Forensics Source: https://www.nowsecure.com/forensics NowSecure Forensics extracts, parses, and analyzes the device data and aids investigators by providing with mobile security solutions Module 13 Page 1364 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 MOBILedit Source: http://www.mobiledit.com With MOBILedit Forensic, the investigator can view, search, or retrieve all data from a phone with only a few clicks These data include call history, phonebook, text messages, multimedia messages, files, calendars, notes, reminders, and application data such as Skype, Dropbox, and Evernote Lantern Source: http://katanaforensics.com The Lantern allows the user to parse and triage a Mac running OSX or a Mac OSX image and allows for data extraction, analysis, and auditing Aceso Source: http://www.radio-tactics.com Aceso is a sound data extraction utility for mobile phones, GPS devices, SIM, and media cards Athena Source: http://www.radio-tactics.com Athena enables the investigator to extract and process communication and positioning information from GPS, satellite handsets, phones, and other portable devices Elcomsoft iOS Forensic Toolkit Source: https://www.elcomsoft.com Elcomsoft iOS Forensic Toolkit performs the complete forensic acquisition of user data stored on the iPhone/iPad/iPod devices running any version of iOS iXAM Source: http://www.ixam-forensics.com iXAM is used for mobile forensics investigation to provide any information from a stored contact or text message to an email, photograph, or specific map location Module 13 Page 1365 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 iPhone Forensic Analysis Using the Oxygen Forensics Detective Perform iPhone forensic analysis using the Oxygen Forensics site It can extract device information, contacts, calendar events, SMS messages, event logs, and files http://www.oxygen-forensic.com Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited The Oxygen Forensic Detective helps forensic investigators in extracting data from iPhone mobile devices The investigator not only extracts the data but can also complete an investigation process using this tool The following features briefly describe the actions performed by the Oxygen Forensics Suite SQLite Viewer: The SQLite Viewer allows for the exploration of the database files with the following extensions: sqlite, sqlite3, sqlitedb, db, and db3 Experts have the access to the actual and deleted data stored in databases created by system and user applications Plist Viewer: Plist files, known as Property List XML Files, contain a considerable amount of valuable forensic information in Apple devices Data can be extracted from plist files such as Browser history, Wi-Fi access points, speed dials, Bluetooth settings, global application settings, and Apple Store settings Device Information: The device information section displays complete technical information about the device This includes details regarding the manufacturer, retail model name, platform and its revision, IMEI, MAC addresses, IMSI, serial number, phone number, and any other model specific data Passwords: The passwords section displays logins and passwords extracted from default secure storage similar to the keychain database Application files can also contain these valuable data Oxygen Forensic Suite parses them and displays them nearby Module 13 Page 1366 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Key Evidence: The Key Evidence section offers a clean, uncluttered view of evidence marked as essential by investigators Forensic specialists can mark certain items belonging to various sections as being essential evidence and then review them all at once, irrespective of their original location Backups Import: Oxygen Forensic Suite Analyst allows for the importing and parsing of data from various device backups and images created by sync software or other forensic products Data Viewers: Various data viewers help experts analyze extracted data in a convenient way Oxygen Forensic Suite has a built-in HEX-viewer, picture viewer, music and video players, text viewer with code page converter, HTML, SQLite, and Plist Viewers Links and Stats: Social connections between users of mobile devices under investigation and their contacts can be easily determined with this feature Links and Stats section provides a convenient tool to explore social connections between device users by analyzing calls, text, multimedia, as well as e-mail messages and Skype activities Global Search: Global Search allows for discovering user data in every section of the device This tool offers the ability to search for text, phone numbers, emails, geo coordinates, IP addresses, MAC addresses, and credit card numbers The regular expression library is available for a more custom search Call Data Records: Oxygen Forensic Call Data Expert is a forensic program that allows the import and analyses of Call Data Records (CDR) files received from mobile service providers, regardless of the differences in their column formats and file layouts Source: http://www.oxygen-forensic.com Module 13 Page 1367 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Examination and Analysis During forensic analysis, the investigator should try to find all the information that may help in solving the case Forensic examination and analysis helps in revealing potential evidence and uncovering useful information related to the crime Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Examination and analysis of an image involve finding traces of potential evidence relevant to the case The investigator should be aware of all parameters related to the crime, criminals, and the evidence in the mobile phone image The examination stage is a useful step in the acquisition process since it reveals potential evidences Thoroughly analyze the acquired data to draw conclusions related to the case Data analysis techniques depend on the scope of the case or client requirements Analysis helps to filter the useful evidence from a large set of acquired evidence Identify and categorize data in order of relevance to the case such that the most relevant data serves as the most important evidence to the case Module 13 Page 1368 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Generating Investigation Report The results obtained in all the steps of forensics process needs to be presented in a prescribed standard format A forensics report should include the complete forensics investigation process followed along with supporting documents such as photographs, notes, and signatures of specialists A forensics tool is used to prepare reports to present the forensics result in a prescribed format Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited The purpose of the forensic report is to communicate the results of the forensic investigation The following are the exhibits relevant to the mobile forensic report: Photographs or diagrams Curriculum vitae of the witness The investigative report should contain: Description of how the incident occurred Technically sound and clear-to-understand content Proper formatting, page, and paragraph numbering for easy reference Unambiguous conclusions, opinions, and recommendations supported by figures and facts Adherence to local laws of the land to be admissible in courts Module 13 Page 1369 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Mobile Forensics Report Template The mobile forensics report should contain: Summary Objectives Date and time the incident allegedly occurred Mobile Subscriber International ISDN Number (MSISDN) Integrated Circuit Card ID (ICCID) MMS International Mobile Subscriber Identity (IMSI) Mobile Country Code (MCC) Date and time the incident was reported to agency personnel Service Provider Name (SPN) Mobile Network Code (MNC) Abbreviated dialing numbers Name of the person or persons reporting the incident Last Numbers received Mobile Subscriber Identification Number (MSIN) Last Numbers dialed Preservation of the evidence Missed calls Investigative techniques Examination start date and time The physical condition of the phone Photos of the phone and individual components Phone status when received turned on or off Make and Model Short Message Services (SMS) Tools used for the acquisition Tools used for the examination Calendar entries Photographs stored in the handset Video stored in the handset Smart Media/ Compact Flash Data found during the examination Notes from peer review Supporting expert opinion Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited The mobile forensics report is created using a specific prescribed format The report template enables the investigators to create a detailed forensic report with a proven and time-saving framework Creating a forensics report based on the forensics report template reduces the risk of omission of any evidence The standard mobile forensics report template includes various types of information described above All of the information in the forensic report should be clear and provided in a detailed manner Module 13 Page 1370 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Sample Mobile Forensic Analysis Worksheet http://ccf.cs.uml.edu Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited The forensics report should also include information about phone manufacturer, model number, carrier, and current phone number associated with phone identity The Mobile Forensic Analysis Worksheet generally includes the following information: Legal authority to examine the phone: Examiner has to determine if the legal authority exists for the search of a cellular phone and mention it in the worksheet The goals of the examination: Examiner must mention the goal of the examination of the mobile phone to give clarity on why a task was performed during the investigation Identify information for mobile phones: The analysis worksheet contains the following information about mobile phones: o Electronic Serial Number (ESN) and Mobile Equipment ID (MEID) o Subscriber Identity Module (SIM) o International Mobile Equipment identity (IMEI) o Mobile Identification Number (MIN) and Mobile Directory Number (MDN) o Integrated Circuit Card Identification (ICCID) Source: http://ccf.cs.uml.edu Module 13 Page 1371 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Cellebrite UFED Touch Sample Mobile Forensics Report Snapshot UFED Touch is a mobile forensics solution enabling investigators to extract, decode, and analyze evidentiary data in a forensically sound manner from a wide range of mobile devices UFED Touch HTML Report Preview http://www.cellebrite.com Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Investigators use the tool to extract evidence from mobile devices It is a standalone mobile forensic application The tool enables investigators with the physical, file system and logical extractions of data, passwords, and recover deleted data from the mobile devices Images can be captured and recorded by the investigators using the UFED Camera UFED 4.0 is the current version of the application Using the device, investigators can determine the make and model of the device and addition details such as IMEI Number, ICCID Number, IMSI number, extraction start data and time, extraction end date and time, phone data, and the connection type The results can be viewed in HTML as well Source: http://www.cellebrite.com/ Module 13 Page 1372 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Module Summary Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically sound conditions Diversity in the mobile OS architecture may impact forensic analysis process Knowledge of mobile OS booting process helps investigators to gain lower level access Mobile storage and evidence locations include: internal memory, SIM card, and external memory Identifying cell phone brand, model, OS, and network service provider assists in choosing an appropriate forensics tool for data acquisition Rooting/Jailbreaking provides privileged control (known as "root access") within device’s subsystem, enabling data acquisition Standard tools such as Cellebrite UFED Touch can be used to prepare mobile forensics report Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited This module discusses the need for mobile forensics and the forensic process to acquire, analyze, and carve data from mobile devices This module discusses the various architectures and boot processes of the operating systems of mobile devices that forensic investigators need to take into account while conducting forensic examination By understanding the concepts covered in the module, you will be able learn how to bypass android and iOS devices’ passcodes, jailbreak iOS devices, and root android devices This module helps understand the mobile forensic process, which includes collecting and preserving the evidence, documenting the scene, imaging and profiling the evidence, acquiring and analyzing information, and generating a report Module 13 Page 1373 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved Reproduction is Strictly Prohibited ... Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Mobile Device Forensics Mobile phone forensics is the science of recovering digital evidence from a mobile phone under forensically... Computer Hacking Forensic Investigator Mobile Forensics Exam 312-49 Why Mobile Forensics? Using Mobiles for Money Transactions The Projected Growth of Mobile Use Mobile payment user 2020 2015 2016... 312-49 Mobile Hardware and Forensics Mobile device forensics is highly dependent on the underlying hardware of mobile devices Investigators need to take different approaches for mobile forensics